SecNumCloud is a French cybersecurity certification framework developed by ANSSI that defines a comprehensive set of technical, operational, and legal requirements for cloud service providers. It mandates strict data localization, ensuring all data and metadata remains within the European Union and is protected from foreign extraterritorial laws such as the U.S. CLOUD Act. The framework enforces hardware-level isolation and requires providers to implement zero-trust architectures with continuous verification of every access request.
Glossary
SecNumCloud

What is SecNumCloud?
A rigorous cybersecurity qualification framework established by the French National Cybersecurity Agency (ANSSI) to certify cloud service providers for hosting sensitive government and commercial data.
The certification process involves a mandatory third-party audit against the SecNumCloud reference framework, which covers supply chain security, cryptographic key management, and vulnerability handling. A core requirement is immunity from non-EU law, meaning the cloud operator must demonstrate legal and technical guarantees that prevent foreign administrative access. This makes SecNumCloud the benchmark for sovereign cloud architectures in France, directly addressing the compliance needs of government CTOs and organizations handling sensitive commercial data under GDPR and NIS2 directives.
Core Requirements of SecNumCloud
SecNumCloud is a cybersecurity certification framework established by France's Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI). It defines a rigorous set of technical, operational, and legal requirements for cloud service providers to guarantee a high level of protection and sovereignty for sensitive government and commercial data.
Jurisdictional Immunity from Extraterritorial Law
The foundational requirement of SecNumCloud is immunity from non-EU extraterritorial legislation, such as the U.S. CLOUD Act. Certified providers must demonstrate that their corporate structure, operational headquarters, and data processing activities are exclusively governed by EU and French law. This ensures that no foreign authority can legally compel the provider to grant access to hosted data.
- Corporate Ownership: The provider must be headquartered in an EU member state with no foreign controlling interests.
- Operational Sovereignty: All administrative and commercial operations managing the service must be located within the EU.
- Data Localization: All data at rest, in transit, and during processing must remain within EU borders.
ANSSI-Qualified Cryptographic Controls
SecNumCloud mandates the use of state-sanctioned cryptographic modules to protect data confidentiality. Encryption keys must be generated, stored, and managed within a sovereign boundary using hardware security modules (HSMs) that hold an ANSSI qualification. This prevents the cloud provider or any foreign entity from accessing plaintext data.
- Key Management: Requires Hold Your Own Key (HYOK) architectures where the client retains exclusive control.
- Algorithmic Compliance: Mandates the use of ANSSI-approved ciphers and key lengths, often exceeding generic industry standards.
- Physical Security: HSMs must be hosted in certified data centers within France, under the exclusive control of EU citizens.
Continuous Vulnerability Detection and Incident Response
Certified providers must implement a Security Information and Event Management (SIEM) system that continuously monitors the entire infrastructure for threats. They are contractually obligated to notify ANSSI and affected clients of any security incident within a defined, legally binding timeframe. This ensures a proactive, state-integrated defense posture.
- Active Monitoring: 24/7 surveillance of networks, systems, and applications for anomalous behavior.
- Mandatory Reporting: Legally enforced timelines for reporting data breaches to the national authority.
- Penetration Testing: Regular, independent security audits and intrusion tests are required to maintain certification.
SecNumCloud 3.2 Enhanced Protection Levels
The latest version of the framework introduces differentiated protection levels to address varying data sensitivity. The standard level covers sensitive commercial data, while the 'Advanced' level adds hardware-based confidential computing and memory encryption to protect against privileged insider threats and host-level vulnerabilities.
- Standard Level: Logical isolation, ANSSI-qualified encryption, and EU jurisdictional control.
- Advanced Level: Adds Trusted Execution Environments (TEEs) to encrypt data in use, isolating it from the cloud provider's own administrators.
- Migration Path: Provides a clear technical roadmap for organizations to escalate their security posture as threats evolve.
Qualified Personnel and Supply Chain Integrity
SecNumCloud extends its security requirements to the human element and the software supply chain. All personnel with administrative access to the infrastructure must undergo ANSSI-approved security clearance. Furthermore, providers must maintain a verified Software Bill of Materials (SBOM) to guarantee the provenance and integrity of every software component used in the service.
- Personnel Vetting: EU-citizen-only staffing with mandatory security clearances for privileged roles.
- Supply Chain Transparency: Full traceability of all third-party libraries and dependencies to prevent supply chain attacks.
- Operational Integrity: Strict segregation of duties to ensure no single individual can compromise data sovereignty.
Frequently Asked Questions
Clear, technical answers to the most common questions about France's premier cloud security framework, designed for CTOs, compliance officers, and cloud architects evaluating sovereign infrastructure options.
SecNumCloud is a cybersecurity certification framework issued by the Agence nationale de la sécurité des systèmes d'information (ANSSI), France's national cybersecurity agency. It defines a rigorous set of technical, operational, and legal requirements that cloud service providers must meet to guarantee a high level of protection for sensitive data. The framework operates by auditing providers against a comprehensive referential that covers data localization, external administrative access controls, encryption standards, and supply chain security. A key mechanism is the requirement that the cloud provider's data processing and administrative operations must be shielded from non-European laws, specifically the U.S. CLOUD Act. Certification is granted only after a successful audit by an ANSSI-accredited third-party evaluator, and it must be maintained through continuous monitoring. The framework categorizes services into different qualification levels, with the 'SecNumCloud' label being the most stringent, ensuring that the provider's infrastructure, personnel, and legal structure are fully sovereign and immune to extraterritorial jurisdictional reach.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
SecNumCloud operates within a broader ecosystem of regulatory frameworks, architectural patterns, and compliance mechanisms that collectively enforce data sovereignty. These related concepts define the technical and legal landscape for hosting sensitive workloads.
Sovereign Cloud
A cloud architecture ensuring all data and metadata remains under the exclusive jurisdictional control of a specific nation. Unlike standard public cloud, a sovereign cloud eliminates foreign administrative access by requiring local legal entities to operate the infrastructure. SecNumCloud is the French implementation of this principle, combining technical controls with a legal wrapper that prevents extraterritorial data requests under laws like the U.S. CLOUD Act.
Data Residency vs. Data Localization
These two concepts are often conflated but serve distinct purposes:
- Data Residency: The physical storage location of data, often a business choice for latency or policy reasons.
- Data Localization: A legal mandate requiring data to remain within national borders, prohibiting cross-border transfer. SecNumCloud enforces localization by requiring all processing and storage to occur within French territory, satisfying the most stringent government requirements.
Gaia-X
A European initiative building a federated, interoperable data infrastructure based on open standards. Gaia-X defines a common rulebook for identity, trust, and data sovereignty across member states. While SecNumCloud is a national certification, Gaia-X provides the cross-border federation layer that allows certified French clouds to interoperate with other European sovereign infrastructures without compromising jurisdictional control.
Schrems II & the CLOUD Act
Two legal frameworks that fundamentally shaped the demand for SecNumCloud:
- Schrems II (2020): Invalidated the EU-US Privacy Shield, ruling that U.S. surveillance laws do not provide adequate protection for EU data.
- CLOUD Act (2018): Compels U.S.-based cloud providers to hand over data to law enforcement regardless of where it is stored. SecNumCloud directly mitigates these risks by ensuring no foreign administrative access to data.
Hold Your Own Key (HYOK)
A cryptographic model where the data owner retains exclusive control over master encryption keys. The cloud provider cannot decrypt data without explicit authorization. In a SecNumCloud environment, HYOK is often combined with hardware security modules (HSMs) located within French territory, ensuring that even the infrastructure operator cannot access plaintext data under foreign legal compulsion.
Sovereign Landing Zone
A pre-configured, compliant cloud environment template that enforces data residency, access controls, and encryption policies from the moment a workload is deployed. A SecNumCloud-aligned landing zone automatically applies:
- Geofencing to restrict data movement
- Encryption with locally managed keys
- Identity policies tied to national directories This accelerates compliance for government agencies migrating sensitive workloads.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us